My SIM swap attack: How I almost lost $71K, and how to prevent it

My SIM swap attack: How I almost lost $71K, and how to prevent it


@sparkystacey You’ve shared helpful information, before reading this I was totally unaware of such attack.

1 Like

This article certainly made me aware of the damage that can be done. However, I don’t understand how they initially gained access to the icloud account.

When you set up a new phone, you have to enter your icloud password. As far as I know there is no authentication / password recovery function using just the phone number / SMS. So, I don’t understand how the SIM swap really worked in this case, and how this could happen:

Face ID works on the phone level, so they added their face to result in a positive pass of Face ID, and that unlocked my account names from my iCloud.

Face ID just unlocks the phone and the (initially empty) keychain. It only unlocks an icloud account if it has already been authenticated. And it only unlocks passwords that have been entered and stored in the keychain before. But it does not unlock anything that has not previously been entered on that phone directly or indirectly.

I think the main takeaway is to not use “integrated phone services” for things like passwords, private keys etc.

Lastpass, any apple keychain kind of thing, Duo, any centralized “password managers” are all bad. Stick with basic things like KeepassX[C] and basic TOTP that’s not shared. Use things like Syncthing to share on local stack only (e.g. home wifi).

I think maybe there’s a nice market for privacy oriented folk with an “integrated self-hosted” solution like this to give the centralized options a run for their money. It’d certainly be a win for public safety if an alternative like that got adopted.

Of course all I said applies to the non-SIM specific part of this attack. If anyone is still using SIM/phone # 2FA that’s another story…

“And of course, an independent 2FA like Google Authenticator where it is an option is ideal. But if you lose your phone, its non-recoverable”

I use FreeOTP and back up every time I get a new entry via a .bat file in Windows through ADB. You can use a password and store it on an encrypted volume and it’s about as secure as anything else.

echo “Unlock phone.”
ren freeotp-backup.ab freeotp-backup.old2
del freeotp-backup.old
ren freeotp-backup.old2 freeotp-backup.old
adb backup -f freeotp-backup.ab -apk org.fedorahosted.freeotp

Yes, I’ve lost my phone and all my 2fa codes before. =D

It must have been a horrible experience, sorry for that.

Regarding the iCloud and FaceID part, I’m very fuzzy on the connection the SIM had to these things. From my experience, my FaceID would only be useful if you had my actual phone and iCloud has a login/pass all on it’s own, that I’ve had to struggle with when changed.

Maybe I’m not reading the story correctly since it seems like some details are missing??

To me, it is almost like you might have had someone physically possess your actual device with enough access to do some of these things. They could have used your apps, seen your passwords or requested PW changes, then swapped the SIM, so with a 2nd device and your old SIM, they could respond to the 2FA requests.

Anyway, thanks for raising awareness of SIM attack.

I believe they used 2FA to reset my passwords to iCloud and then used FaceID to unlock every other account in the system - some also requiring 2FA. It all happened very fast, and is largely untraceable. Very frustrating.